Beware Of The Internet Of Things' Despicable Side

Securing a network of connected devices and intelligent systems carries a hefty new price for IT professionals: personal safety.

With John Chambers' Internet of Everything vision from CES 2014 and Google's acquisition of Nest Labs ringing in my ears, it's easy to get carried away with the promise of connected smart gadgets and embedded systems. But despite the hype and hyperbole with the Internet of Things, it is expected to generate tremendous economic value -- as much as $6.2 trillion annually by 2025, according to the McKinsey Global Institute.

Beyond the dollar signs, what I find exciting are examples where connectedness actually improves the lives of people. I'm not talking about a smartwatch telling me how I can burn extra calories, or my toothbrush dutifully reminding me my teeth need an extra polish. But rather innovation focused on improving the quality of life for people who often have no access to valuable technology.

Take for example the smart homes project in Australia -- where low-cost, non-invasive sensor, monitoring, and video systems are being developed to help the elderly live longer safely in their own homes. Or Safecast, a crowd-sourced global sensor network developed following the Fukushima nuclear disaster to collect and share radiation measurements.

But with all the power to work for the greater good, there is unfortunately a dark side. There are cases where security exposures in physical devices and embedded systems could easily cause severe disruption. So just like the main character Gru (below) in the brilliant, computer-animated movie Despicable Me, I could -- if I was so inclined and had the technical smarts -- engage in some pretty nefarious and wicked activities. For example:

With a wry smile, I could hack into a home alarm system or even baby monitoring sleep devices -- or better still, launch an attack of malicious email communications from an army of security-compromised consumer devices including home-routers, multimedia systems, televisions, and even refrigerators...

With an evil laugh, I could perhaps access a serial port on a heating and ventilation system, gaining unrestricted root access to office blueprints and other such goodies....

And if I was feeling particularly despicable, maybe I could infiltrate a utility smart-grid using a man-in–the-middle attack to disrupt energy production. Or hey, while I've surrendered to my nasty side, why not infect the USB drives carried by contractors with malware to infiltrate industrial complexes and equipment…

I'm too nice to do any of this, but these examples remind us that the Internet of Things is becoming the new playground for a variety of hackers. These range from nuisance factor "script kiddies" with access to publically available tools, to more coordinated groups who have the means and inclination to cause harm.

This all creates a new challenge for security professionals -- understanding and mitigating the risks associated with what is often out of scope: safety. And it's a huge issue requiring non-traditional, even "despicable" ways of thinking.

Understand your devicesUnfortunately, systems that have computing embedded into the device can be vulnerable. This could range from outdated open-source code to processor backdoors that can easily be exploited.

Products could also be made up of specialized OEM components where patching is not top-of-mind for the manufacturer -- especially those operating on razor thin margins. As such, OEM security shortcomings can be as basic as hardcoding passwords into components that find their way into many products. An example: Last year, the FDA and Department of Homeland Security were forced to issue an alert urging medical device manufactures to upgrade security protections to protect against potential cyber threats.

It's important therefore that security pros become much more familiar with embedded systems and equipment beyond PCs, servers, and networks. This shouldn't be restricted to the technology itself, but also to understanding compliance and legal issues when hardware and software are provided by other manufacturers.

Walk on the nefarious sideAny IT pro worth his salt constantly surveys the security landscape for risks and vulnerabilities. But IoT exposures have been largely rare and hidden. When they have surfaced, vendors have been slow to disclose and fix them -- possibly because they're not yet motivated to do so or lack IT expertise.

My advice is to become more familiar with security issues openly discussed via new channels. This should include organizations such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). But check out other resources too such as Black Hat security conferences where experts present on IoT-related security topics.

Develop a killer instinctSecurity experts have been trained to defend and protect applications and information. Now there's a twist -- any models and processes must be extended to consider the actual safety of people.

So, while it's still important to understand how a system can be attacked and information compromised from a privacy perspective, it's now crucial to extend that analysis to Internet of Things safety-related scenarios. This was illustrated just last year when a popular brand of smart LED lighting system was vulnerable due to authentication issues, which if compromised, could cause home blackouts. Maybe that's not particularly dangerous, but what if a botnet controlled malware attack infiltrated insecure lighting systems on a mass scale -- at sporting venues or in hospitals?

Unlike the ending in Despicable Me, I can't see a happy ending here -- at least for the time being. But I'm an optimist. In time all aspects of security will improve, but for now think about and work to prevent the more devious ways your connected things can be hacked. If you don't, someone else will.

Interop Las Vegas, March 31 - April 4, 2014, brings together thousands of technology professionals to discover the most current and cutting–edge technology innovations and strategies to drive their organizations' success, including BYOD security, the latest cloud and virtualization technologies, SDN, the Internet of things, Apple in the enterprise, and more. Attend educational sessions in eight tracks, hear inspirational and industry-centric keynotes, and visit an Expo Floor that brings over 350 top vendors together. Register for Interop Las Vegas with Discount Code MPIWK for $200 off Total Access and Conference Passes.

I predict we'll be seeing and hearing a lot of fingerpointing with respect to security issues as the IoT emerges and evolves. It's a fascinating trend, but there will be a lot of gotchas that we haven't even started to fathom.

That's a very good point Marilyn and one of my personal; concerns. OEMS are especially problematic, especially in those industry areas where they don't have the expertisn and motivation to apply more rigorouse security controls into the components they manufacture. They could also argue that its the responsibility ofr the OS vendor or the chip/borad manufacturer....blame gane antics.

Security experts have been trained to defend and protect applications and information.

That's so true, but how knowledgeable about security threats are the manufacturers who build the smart things that will be flooding the marketplace in the coming years. Seems to me there will be a lot of risk to manage in the the IoT to come. Also job opportunities in new industries....

Tom, please contain your enthusiasm! I do think the growth in Internet of things applications will come more quickly in industrial settings than consumer, since there's a cost-savings ROI from preventing breakdowns and keeping things running. But those also are exactly the kind of applications that need to be extremely secure. We're already hearing of companies not putting certain machines on the network because they run on ancient operating systems that just can't be made secure.

Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.